…two steps. First, make sure that your checkbox has no value and that its name is _remember_me: That's the magic name that Symfony will look for. Second, in security.yaml, under your firewall, add a new remember_me section. Add two other keys…

…to do with security! Think about it. What is registration? It's just a form that creates a new record in the User table. That's it! That's just database stuff. So then... why are we even talking about this in a security tutorial…

…why are we talking about database relationship in the security tutorial? Am I wandering off-topic again? Well, only a little. Setting up database relations is always good practice. But, I have a real, dubious, security-related goal: this setup will lead us to some…

…send again. Woh! It redirects us to /login? I did not see that coming. Sometimes the hardest part of security is figuring out what's happening when something unexpected occurs. So, let's figure out exactly what's going on here. When authentication fails, this…

…Call it ArticleVoter. It's pretty common to have one voter per object that you need to decide access for. Let's go check it out src/Security/Voter/ArticleVoter.php: Nice! Voters are a bit simpler than authenticators: just two methods. Here's how…

…user has a role, you'll always use one service: the authorization checker. It looks like this: if (!$this->get('security.authorization_checker')->isGranted('ROLE_ADMIN'). So, if we do not have ROLE_ADMIN, then throw $this->createAccessDeniedException(): That message is just for us developers…

…way. We need to be able switch to that user's account: we need to impersonate them. Setting up impersonation is super easy. In security.yml, under your firewall, add a new key called switch_user set to ~ to activate the system: Now, on…

…easy because we're using Guard authentication. Inside of UserController, instead of redirecting to the home page: do this: return $this->get() to find a service called security.authentication.guard_handler. It has a method on it called authenticateUserAndHandleSuccess(). I'll clear the arguments and…

…Great! This template also has a bunch of boilerplate code, so copy that from the docs too. Paste it here. Update the form action route to security_login: Well, it ain't fancy, but let's try it out: go to /login. There it is…

…for user AppBundle\Entity\User. What the heck is a user provider and why do we need one? A user provider is one of the most misunderstood parts of Symfony's security. It's an object that does just a few small jobs for you…

…But, it is not setting the last username on the session... because it doesn't really know where to look for it. No worries, fix this with $request->getSession()->set() and pass it the constant - Security::LAST_USERNAME - and $data['_username']: Now, try it again…

…that can be used to activate development settings locally. But first, we need to play with permissions: Drupal makes some files in this directory readonly for security. Start by making sites/default writable by us: Now, copy sites/example.settings.local.php to sites/default…

…will be saying soon to API clients in this tutorial that don't have valid credentials! Yep, welcome back guys, this time to a tutorial that's making security exciting again! Seriously, I'm pumped to talk about authentication in an API... and in particular…

…it alone: Copy that name and run it: Instead of the 201, we get a 200 status code after being redirected to /login. I know we don't have our security system hooked up yet, but pretend that it is hooked up and working nicely…

…authenticator. Set its class to AppBundle\Security\JwtTokenAuthenticator: And instead of adding an arguments key: here's your permission to be lazy! Set autowire to true to make Symfony guess the arguments for us. Finally, copy the service name and head into security.yml. Under…

…OR, use a cool trick from SensioFrameworkExtraBundle. Give the controller class a doc-block and a new annotation: @Security. Auto-complete that to get the use statement. Then, add "is_granted('ROLE_USER')": Now we're requiring a valid user on every endpoint. Re-run…

…every template, you have access to a variable called app. This has a bunch of useful things on it, like the request, the security context, the User object, and the session: It's actually an object called GlobalVariables, which you can check out yourself. So…

…we're attacking the hard stuff: Using a serializer Token Authentication System (Silex's security system) Hypermedia versus media The HAL hypermedia type The HATEOAS PHP library The HAL Browser Embedding resources (versus adding links) Tricks with Behat for testing API's Pagination and filtering…

…relations, IRIs, filtering and more. In part 2, we talked about security, logging in, adding authorization checks to operations, making it so that certain fields can be read or written only by specific users and some pretty serious work related to custom normalizers for even…

…all of the users... though you should - ya know - use security to avoid this if it's a problem. Auto-increment IDs have another downside: when you use an auto-increment database id as the key in your API, it means that only your server…